Insider threats – ‘How to begin?’ and ‘Where to start?’

– “UPS reveals Data Breach” –

– “Target loses 110 Million Bank Card Numbers” –

– “Russians Hack JP Morgan Chase” –

 Just a couple of recent headlines. And the list goes on…

We read about new security incidents virtually every day. It is almost a free marketing machine for professionals and vendors in the security space. But before running out the door to buy the latest and greatest in what the market has on offer today, let’s take a closer look at why and how these breaches occur and what areas to focus on to minimize the threat to your organization.

In most of the incidents we see, the target is data, including credit card information, bank account numbers, customer information, user credentials or any other type of sensitive information.

In many cases, these attacks can be characterized as unsophisticated attacks (as in the recent iCloud brute force attack). Actors use common hacking toolkits that are readily available on the Internet, to perform scans that help them find open ports, craft packets a firewall will let through, or detect vulnerabilities in a network environment. When they find something, they dive into it and occasionally hit the jackpot, discovering an open directory with customer information for a well-known brand.

Although these unsophisticated attacks can be very damaging for a company, they tend to be random. In that respect, falling victim to them is a combination of bad luck and poor security practices rather than anything else. This is different with more sophisticated and targeted attacks.

Companies can be targeted for many reasons, ranging from political or ethical motives (for instance concerning child labor or ill-perceived market domination) to personal or commercial gain. Whatever the reason, when your company is targeted by an attacker or group of attackers, the threat is far greater. For one thing, the attackers are focusing on just one target, allowing them to exhaustively explore possible vulnerabilities (as such, sophisticated attacks do not have to be truly advanced). But above all, these attackers are motivated, determined and persistent. Persistent to reach their goal and willing to do what is needed.

“Nothing in the world can take the place of persistence…Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent.” – Calvin Coolidge

This persistence lays the basis for what is often referred to as an Advanced Persistent Threat (APT in short). What makes these types of attacks so dangerous is that the attackers have a goal and – in most cases – a plan on how to reach that goal. Such a plan goes beyond technical tools and tricks; it also contains a good deal of social engineering. Social engineering tactics are playing into human psychology, where the facts an attacker already knows are used to gain trust and cleverly fish out additional pieces of information.

In most cases, these attacks start with a single e-mail message to a person or persons whose credentials seem valuable. This is called phishing or even spear fishing. It is easy to make such an e-mail appear to be sent by someone the recipient knows and trusts. And, if written well, the e-mail will not raise any suspicion when enticing the reader to click a link or open an attachment. That simple action will insert the first malware into the target environment, ranging from key-loggers and remote access Trojans to (variations of) ZeuS malware in order to steal employee credentials.

Other courses of action they may take are in the realms of recruiting an insider, targeting a partner organization with rights in the enterprise or even going as far as placing an insider into the organization. Insiders in this respect are people who rightfully hold accounts in the enterprise, either as an employee, contractor or partner, and are willing to misuse their credentials to support the attack.

Once the attackers are in, they will exploit all the access they have to increase their level of control in the environment. In FBI-reported cases where US banks and credit unions were targeted, the actors even went as far as following online courses on the company’s intranet to familiarize themselves with proper procedures and policies. They misused credentials to raise credit limits and select accounts with the highest balances before initiating oversees transactions. By gaining full control over the wire transaction process, the actors were able to transfer sums between $ 400,000 and $ 900,000 per transaction.

So, how we do we protect ourselves against those types of attacks? Let’s stick with the last example to assess that. Following these incidents, the FBI compiled a list of recommendations made to financial institutions.

As logical as the (not exhaustive) list may seem, its practices and measures are not implemented in many organizations today. Nor are they being enforced and actively monitored. And given the sheer size and complexity of larger global IT environments, that is even understandable in most cases.

 ‘How to begin?’ and ‘Where to start?’ are questions many security officers are still struggling with. The answer depends very much on your current situation, maturity level and type of organization. However, some general observations and recommendations can be made in that respect.

 Our digital world has undergone some significant changes in the past decade. The omnipresence of ‘anytime/anywhere’, ‘everything as a service’, ‘mobile computing’ and ‘bring your own device’ has created a world that is hard to control. The services and data you need to protect can literally be anywhere. Users expect to be able to have access no matter where they are or which device they happen to use at the time.

The one thing that best serves as a linking pin connecting all the dots is the individual (or identity) using the device to access your data and services. Therefore, I am big advocate of an Identity Centric Security approach.  Below I will visit five areas worth looking into, taking the identity-centric approach as a starting point.

1. Increase Awareness

One of the main issues security professionals face in keeping their environment secure and protecting it from harmful attacks, lies in the lack of awareness around risks and threats surrounding the average user. Many users today are still digital immigrants, as they did not grow up with computers. They only learned to use them as tools for performing their day-to-day tasks. What they don’t realize, though, is that when their computer is connected to the Internet they are potentially interacting with the whole world. 

You could compare it to walking around in a large city. If you grew up in that city, you will know which areas are safe and which ones better to stay away from. You will know it’s better to avoid eye contact with certain people and not to believe everything someone is telling you. When, however, you grew up in the countryside or in another country with a different culture, this might not be so obvious to you when you first set foot in that city.

When it comes to finding your way on the Internet, the same applies. Most users can be characterized as ‘foreigners’ on the Internet. As such, it is important to educate them on the dangers of interacting online. Simple rules as ‘don’t talk to/trust strangers’ and ‘there is no such thing as a free lunch’ apply just as much (or even more) online. Also, most users are completely oblivious to the risks associated with opening a link or attachment in an e-mail or going online without updating their Internet browser (and virus definitions for that matter).

Invest in an ongoing awareness program that teaches users how to recognize phishing e-mails, to be suspicious by nature when an interesting offer is presented to them and to be wary of sharing personal information online.

2. Adopt Security Best Practices

Many people have given a lot of thought already to the best ways to interact online, instill security practices that work and leverage tooling to help you manage that. So don’t try to re-invent the wheel, but embrace proven practices. I think of this as including security from the inside out, starting with the basics. Like everything else, fundamentals can be boring, but they are critical.

Simple things, such as separating functions between machines, implementing 4-eye principles for critical transactions, limiting Internet access on machines used for critical transactions or enforcing strong authentication, can make a world of difference in how susceptive your organization is to targeted attacks.

Reach out to a trusted advisor who has been around the block, and he/she will give you an open, honest and objective report of his/her findings. Make sure he/she helps you understand your security posture and identify the main threats. Focus on those first when putting in place relevant policies, processes and procedures. Once you have that clear, you can start looking at what tooling best suits your specific situation and requirements.

3. Start with Privileged Users (and expand from there)

No matter how you look at it, your privileged users pose a great risk. With a superset of entitlements, these accounts cannot only access most of the data and systems in an environment, in many cases they can also change entitlements for other users, start or stop services on machines and directly access log files to cover their tracks.

Once user credentials of a privileged account are obtained (or an administrator has malicious intent), serious harm can be done to your environment. Controlling how and by whom these privileges can be used is pivotal to preventing misuse of privileged accounts.

Make sure that administrators have strict password policies to follow and, on top of that, limit their access. If they need access to specific systems, it should be requested, subject to 4-eye principles where appropriate and automatically revoked once their task is completed. 

And above all, monitor their activity. Not just record what they are doing for forensic purposes, but actively monitor their actions in real-time and alert on activity that is not normal (for instance, in terms of location, device, time or type of activity).

4. Expand Policies and Monitoring 

Subsequently, make sure other users in your organization are subjected to the same principles. For instance, when a contractor needs access to a certain supply-chain application, make sure the same credentials won’t grant him access to your CRM system or financial applications at the same time.

Set up clear policies that define which users should be granted what access under which conditions. Implement tools that help you automate the process of provisioning (and de-provisioning!) those entitlements. Enforce context-based strong authentication for your critical systems and data stores and actively monitor their usage.

5. Integrate Identity, Access & Monitoring

In the above steps, we have addressed three different domains (from a tooling perspective):

  1. Ensuring people have the right entitlements;
  2. Enforcing access controls to authenticate users and grant appropriate access;
  3. Monitoring the user activity once access has been granted.

The next step is an integration of these domains to facilitate more context-aware and intelligent monitoring capabilities. The first two domains are linked almost by nature: you cannot grant access to a person if you don’t know which entitlement that person has.
Utilizing that information in your monitoring environment, however, is much rarer – but also very powerful… Many provisioning systems need time before a change in entitlements is enforced in all target systems. But when your monitoring solution knows about the entitlements change, misuse can be detected with a simple correlation rule.

Or think of a scenario where your SIEM solution alerts you on anomalous activity in system XYZ. In most cases, the best you get is an account name. Now imagine you can directly tie that account name to the person behind it, see their position in the organization, get an overview of other accounts they have, assess the activity in this account, etcetera. That allows you to make an actual threat assessment in seconds, after which you can directly take appropriate action.

Insider threat goes far beyond employees who have bad intentions. In most cases, careless or unaware employees pose a much bigger risk to organizations. In focusing on the user identity, making sure no excess privileges are granted and monitoring actual behavior to detect abnormal activity, an important step is made to guard your organization against sophisticated and targeted attacks. When combined with ongoing (or repeated) user awareness programs and adoption of proven security best practices, your company will be a much harder target to crack.

Frank Broeze